Number of staff and faculty email accounts compromised by phishing attacks down

The number of faculty and staff accounts that have been compromised by phishing scams is down this semester at Eastern.

Five employee accounts were compromised in the month of August 2012, compared to one this year. “Compromised” means an employee responded to a phishing attempt by clicking on a link embedded in a deceptive email, thereby making his email account and its address book accessible to the person who initiated the attack.

“Employees are the ones we’re most concerned about because their accounts contain more sensitive data,” said Mike Gioia, Eastern’s information security officer.

Student compromised accounts were up to nine this year compared to five last year in the month of August.

In 2012, a total of 203 university accounts were compromised, 55 of which were those of faculty and staff, and 148 of which were those of students. Statistics for 2013 are not yet complete, but Gioia expects them to be down, too, both for the month of September and the year.

Gioia credits efforts to educate employees about phishing attacks, as well as technology, for the improvement.

The Information Security unit of Information Technology Services has expanded efforts to educate the campus community about the dangers of phishing.  A portion of the ITS Web page is devoted to this end and is available at http://www.eiu.edu/its/security/Phishing.php. Also, once a phishing attack is reported, Eastern’s network technology allows the deceptive link to be rendered inaccessible, preventing others from clicking it.

Gioia said Eastern never asks employees or students, via email, to provide password or account information.  “No entity on campus will ever ask you or direct you to provide your password or click on a link in an email to change your password,” he said.

Gioia said phishing reflects a “snowball” pattern and affects not just the targeted employee but potentially everyone on the campus network. If users do not learn how to avoid phishing attacks, they are more likely to fall victim to them. That means more compromised accounts, and that means even more attacks being generated through those accounts – a vicious cycle. Conversely, if more users are aware of phishing, fewer accounts will be compromised, leading to fewer attacks.

“We’re here to help,” said Gioia. “Responding to a phishing attempt is just a mistake. If someone is unsure whether they’ve been become the victim of a phishing attack, don’t hesitate to send the suspect email to us (If you receive an email that you feel is a phishing attempt , forward it to the following address: phishing@eiu.edu) or contact us (581-1942) and we’ll take a look at it and work with them.”

 

 

 

 

---